WP Shield Security PRO – Release 14.1

Our lastest ShieldPRO 14.1 security plugin for WordPress brings a huge WordPress REST API integration along with some much-needed tweaks and enhancements.

Read on to discover everything we’ve included in your newest and favourite WordPress Securty Plugin.

#1 Full Integration With WordPress REST API

Management of WordPress websites at scale is a huge challenge for all of us.

Consider the work that’s involved with managing just 1 WordPress site and all its plugins, themes, updates, backups and, of course, security.

Now multiply that by the number of WordPress sites you run.

It’s a huge amount of work.

This is why we built iControlWP many years back and why we also integrated Shield Security into it to allow WordPress admins to manage their WordPress sites at scale, and also their WordPress security.

But not everyone wants to use iControlWP and that’s totally cool! But we still want to open up management of Shield to folk that need to scale their WordPress security.

This is where our new WordPress REST API integration comes in. It leverages the very thorough platform that the WordPress Core provides, letting us build a REST API that is powerful, secure and easy to maintain.

Many clients won’t have a need for our REST API directly, but you may use tools and services that could take advantage of if you asked them to.

#2 Hugely Improved Audit & Traffic Logs

This is a big one.

short time ago we completely overhauled the Audit Trail and Traffic Logging features.

This involved a major revamp of the UI and the tables that display the logs.

As you can imagine, these tables and data set can grow very large, particularly for busy websites.

Since we were loading a large dataset all at once, browsing these log tables became tedious and slow. For high traffic sites, it would unusable in some cases resulting in loading errors!

So we went back to our core implementation (again) and made the entire thing dynamic. Instead of loading all the records, we only load precisely what we need. This makes the initial loading near-instant.

The pagination will be a bit slower than what you’re used to – but this is because we’re loading just the log records you need, when you need them.

We’ve also adjusted the traffic log database table structure to help us speed all this along and provide more useful information right where you need it.

This is a major reworking and we hope you’ll love it!

#3 Run Shield As A “Must-Use” (MU) Plugin

If you’ve never heard of a must-use WordPress plugin, don’t worry, you’re not alone.

Simply put, a must-use WordPress plugin is one that is automatically enabled and always loads when WordPress loads. These special plugins can’t be (easily) disabled and execute before all other plugins.

They’re installed in a different directory (/wp-content/mu-plugins/) instead of the default (/wp-content/plugins/).

So why would you want to switch Shield to be an MU plugin?

In much the same way as Shield offers the Security Admin module to protect against tampering, you could set Shield to be an MU plugin to prevent the plugin from being disabled accidentally, maliciously.

It’ll also ensure Shield executes before other plugins. While this won’t offer an advantage currently, we’ll soon adjust some Shield’s code to block malicious requests much earlier in the WordPress load.

What actually happens when you enable MU Mode?

The core of the Shield plugin will remain in the normal installation directory- /wp-content/plugins/.

Shield will then create a new file in the MU directory that loads the normal Shield plugin. When this happens you’ll see 2x Shield plugins installed on your site as shown below:

How can you disable Shield after enabling MU Mode?

Once MU mode is enabled, you can’t disable the normal Shield plugin from the WordPress dashboard. This is normal WordPress behviour.

However, you can simple revert the option within Shield’s settings to disable MU Mode, and then return the plugins screen and disable Shield like any other plugin.

The setting for MU Mode is found within the Security Admin module and doesn’t require a Security Admin PIN to be set.

Shield’s MU Mode plugin option

#4 Better Detection Of Incorrect Application Passwords

Following a suggestion from a client and also off the back of our REST API work we’ve improved how Shield captures and logs authentication failures when Application Passwords are used.

Until now Shield wasn’t correctly spotting when these application password login attempts were failing. We’ve added some new events and logging and we’ll even increase the offense counter for an IP address when the event is triggered.

We spotted these new events being triggered almost immediately after we put them live for testing.

#5 More Quick Access Data In Admin Bar

Some time ago we add a top menu to the WordPress admin bar to help indicate when Shield found some scan items that warrant further investigation.

The original WP Admin Bar addition by Shield Security
The original WP Admin Bar addition by Shield Security

After prompting for some extra information by a client, we’ve made some new helpful additions to the menu (see image below).

Shield’s Additional WP Admin Bar Items

Each of these additions provide helpful links to the item in question, for example:

  • Recently Blocked IPs and Offenses link to the IP Analyse Tool for the specific IP in-question.
  • Recent Sessions links to the Shield Sessions table and the individual session item in the menu links to the profile of the given user.

    Source :